[Openvas-commits] r1292 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Sat Sep 6 11:16:57 CEST 2008


Author: ckm
Date: 2008-09-06 11:16:56 +0200 (Sat, 06 Sep 2008)
New Revision: 1292

Added:
   trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/version_func.inc
Log:
 * scripts/gnutls_CB-A08-0079.nasl: New.
 * scripts/version_func.inc: changed function find_file
   to find any file on local or remote Host using locate
   and/or find.



Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2008-09-05 21:44:03 UTC (rev 1291)
+++ trunk/openvas-plugins/ChangeLog	2008-09-06 09:16:56 UTC (rev 1292)
@@ -1,3 +1,10 @@
+2008-09-06  Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>.
+
+	* scripts/gnutls_CB-A08-0079.nasl: New.
+	* scripts/version_func.inc: changed function find_file
+	to find any file on local or remote Host using locate
+        and/or find.
+
 2008-09-05  Chandrashekhar <bchandra at secpod.com>
 	* scripts/secpod_clamav_invalid_mem_access_dos_vuln_900117.nasl,
           scripts/secpod_hp_openview_nnm_dos_vuln_900211.nasl:

Added: trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl	2008-09-05 21:44:03 UTC (rev 1291)
+++ trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl	2008-09-06 09:16:56 UTC (rev 1292)
@@ -0,0 +1,130 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90026);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-1948");
+ name["english"] = "GnuTLS < 2.2.5 vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2008-1948, CVE-2008-1949, CVE-2008-1950
+
+Impact
+
+   CVE-2008-1948
+     The _gnutls_server_name_recv_params function in lib/ext_server_name.c
+     in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly
+     calculate the number of Server Names in a TLS 1.0 Client Hello
+     message during extension handling, which allows remote attackers
+     to cause a denial of service (crash) or possibly execute arbitrary
+     code via a zero value for the length of Server Names, which leads
+     to a buffer overflow in session resumption data in the
+     pack_security_parameters function, aka GNUTLS-SA-2008-1-1.
+
+   CVE-2008-1949
+     The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c
+     in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to
+     process Client Hello messages within a TLS message after one has
+     already been processed, which allows remote attackers to cause a
+     denial of service (NULL dereference and crash) via a TLS message
+     containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2.
+
+   CVE 2008-1950
+     Integer signedness error in the _gnutls_ciphertext2compressed
+     function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4
+     allows remote attackers to cause a denial of service (buffer over-read
+     and crash) via a certain integer value in the Random field in an
+     encrypted Client Hello message within a TLS record with an invalid
+     Record Length, which leads to an invalid cipher padding length,
+     aka GNUTLS-SA-2008-1-3.
+
+References:
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1948
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1949
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1950
+
+Solution:
+    All GnuTLS users should upgrade to the latest version:
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines GnuTLS < 2.2.5 vulnerability";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Local test";
+ script_family(english:family["english"]);
+ script_dependencies("gather-package-list.nasl");
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+local_var ver, sec_hole, sec_proto, grep,  r, i, t, l;
+
+sec_hole = 0;
+sec_proto = "GnuTLS";
+ver = NULL;
+r = NULL;
+
+  r = find_bin(prog_name:"libgnutls-config");
+  if( isnull(r) ) {
+    r = find_bin(prog_name:"gnutls-cli");
+  }
+  if( ! isnull(r) ) {
+    r[0] = chomp(r[0]);
+    ver = get_bin_version(full_prog_name:r[0], version_argv:"--version", ver_pattern:"([0-9\.]+)");
+  }
+  if(isnull(ver) || version_is_less(version:ver[0], test_version:"2.2.5") ) {
+    grep = find_bin(prog_name:"grep");
+    grep = chomp(grep[0]);
+    l = find_file(file_path:"/usr/lib64/", file_name:"libgnutls.so.*.*");
+    i = 0;
+    foreach t (l) {
+      if( "libgnutls.so" >< t ) {
+        r[i++] = t;
+      }
+    }
+    l = find_file(file_path:"/usr/lib/", file_name:"libgnutls.so.*.*");
+    foreach t (l) {
+      if( "libgnutls.so" >< t ) {
+        r[i++] = t;
+      }
+    }
+    garg[0] = "-o";
+    garg[1] = "-m1";
+    garg[2] = "-a";
+    garg[3] = string("Received zero size server name");
+    foreach binary_name (r) {
+      binary_name = chomp(binary_name);
+      if (islocalhost()) {
+        garg[4] = binary_name;
+        arg = garg;
+      } else {
+        arg = garg[0]+" "+garg[1]+" "+garg[2]+" "+raw_string(0x22)+garg[3]+raw_string(0x22)+" "+binary_name;
+      }
+      ver = get_bin_version(full_prog_name:grep, version_argv:arg, ver_pattern:"(Received zero size server name)");
+      if( isnull(ver) ) {
+        if(sec_hole == 0) {
+          security_hole(port:0, proto:sec_proto);
+          sec_hole = 1;
+        }
+        security_hole(port:0, proto:sec_proto, data:string("\nFound : ") + binary_name + string("\n"));
+      }
+    }
+  }
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl
___________________________________________________________________
Name: svn:executable
   + *

Modified: trunk/openvas-plugins/scripts/version_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/version_func.inc	2008-09-05 21:44:03 UTC (rev 1291)
+++ trunk/openvas-plugins/scripts/version_func.inc	2008-09-06 09:16:56 UTC (rev 1292)
@@ -21,9 +21,9 @@
   } else {
       sock = ssh_login_or_reuse_connection();
       if (sock) {
-        r = split(ssh_cmd(socket:sock, cmd:"locate *bin/"+prog_name, timeout:20));
-        whe = ssh_cmd(socket:sock, cmd:"whereis -b "+prog_name, timeout:20);
-        whi = ssh_cmd(socket:sock, cmd:"which -a "+prog_name, timeout:20);
+        r = split(ssh_cmd(socket:sock, cmd:"locate *bin/"+prog_name, timeout:60));
+        whe = ssh_cmd(socket:sock, cmd:"whereis -b "+prog_name, timeout:60);
+        whi = ssh_cmd(socket:sock, cmd:"which -a "+prog_name, timeout:60);
         ssh_close_connection();
       } else {
          r = NULL;
@@ -46,21 +46,27 @@
   return (r);
 }
 
-function find_file(file_name) {
-  local_var r, sock;
+function find_file(file_name, file_path) {
+  local_var r, f, sock;
 
   r = NULL;
   if (islocalhost()) {
-     r = split(pread(cmd:"locate", argv:make_list("locate", file_name)) );
+     r = split(pread(cmd:"locate", argv:make_list("locate", file_path+file_name)) );
+     if(! isnull(file_path) ) {
+       f = split(pread(cmd:"find", argv:make_list("find", file_path , "-name",  file_name, "-type", "f")));
+     }
   } else {
       sock = ssh_login_or_reuse_connection();
       if (sock) {
-        r = split(ssh_cmd(socket:sock, cmd:"locate "+file_name, timeout:20));
+        r = split(ssh_cmd(socket:sock, cmd:"locate "+file_path+file_name, timeout:60));
+        if(! isnull(file_path) ) {
+          f = split(ssh_cmd(socket:sock, cmd:"find "+file_path+" -name "+file_name+" -type f"));
+        }
         ssh_close_connection();
       } 
   }
   if( ("/locatedb" >< r) || ("execvp:" >< r) || ("fatal error" >< r) || ("No such file or dir" >< r) ) {
-    r = NULL;
+     r = f;
   }
   return (r);
 }
@@ -73,7 +79,7 @@
   } else {
      sock = ssh_login_or_reuse_connection();
      if (sock) {
-        r = ssh_cmd(socket:sock, cmd:full_prog_name +" "+version_argv, timeout:20);
+        r = ssh_cmd(socket:sock, cmd:full_prog_name +" "+version_argv, timeout:60);
         ssh_close_connection();
       }
   }



More information about the Openvas-commits mailing list